Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. SQL Server Agent jobs may fail after you change the SQL Server Agent service startup account by using the Windows Service Control Manager

SQL Server Agent jobs may fail after you change the SQL Server Agent service startup account by using the Windows Service Control Manager

Bug #: 413203 (SQLBUDT)

↑ Back to the top

Symptoms

If you run a SQL Server Agent job which has a step configured to “Run As” a specified proxy account, you may receive the following error message in the job history:

Error:

Executed as user : Domain\Account.

The process could not be created for step Step Number of job Unique Job ID (reason: A required privilege is not held by the client). The step failed.
This error message may commonly affect the following job step types:
  • Operating system (CmdExec) Job Step
  • SQL Server Integration Services Package Job Step
  • Replication job step types Job Step
Additionally, when you try to run a replication agent job, the replication agent job may fail and you may receive an error message that resembles the following:
Executed as user: <UserAccount>. Replication-Replication Snapshot Subsystem: agent <AgentName> failed. Executed as user: <UserAccount>. A required privilege is not held by the client. The step failed. [SQLSTATE 42000] (Error 14151). The step failed.

↑ Back to the top

Cause

This problem occurs because the Windows Service Control Manager cannot grant the required permissions to run agent jobs to the new domain account.

SQL Server Configuration Manager will take additional steps beyond changing the service account or password. These steps will add the service account to the appropriate group membership which provides the necessary permissions.

You will receive the second error message mentioned in the Symptoms section when the SQL Server Agent service account does not have the required operating system permissions to spawn the necessary child process under the context of the proxy account.

Note This error message is not typically caused by the proxy account itself, but rather by the SQL Server Agent service account trying to impersonate the proxy account. The SQL Server Agent Service account is missing the required privileges to do impersonation.

↑ Back to the top

Resolution

To resolve this problem, use SQL Server Configuration Manager to change the domain account back to a startup account. Then, use SQL Server Configuration Manager to change the startup account to a domain account. When you do this, SQL Server Configuration Manager will add the domain account to the following security group:
SQLServer2005SQLAgentUser$ComputerName$InstanceName
Therefore, SQL Server Configuration Manager will grant the required permissions to run agent jobs to the domain account.
To resolve the problem, follow these steps:
  1. Set the SQL Server Agent service account in SQL Server Configuration Manager to the LocalSystem account.
  2. Stop and then start the SQL Server Agent service.
  3. Reset the SQL Server Agent service account in SQL Server Configuration Manager back to the original account.
  4. Stop and then start the SQL Server Agent service.
You can also reset the password of the SQL Server Agent service account in SQL Server Configuration Manager.


To avoid this problem in the future, we recommend that you use SQL Server Configuration Manager instead of the Windows Service Control Manager to modify startup accounts.

For more information about how to change the SQL Server service account, visit the following Microsoft Web sites:

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For SQL Server 2005, the following user groups are created by the SQL Server Setup program:
  • Default instance: SQLServer2005SQLAgentUser$ComputerName$MSSQLSERVER
  • Named instance: SQLServer2005SQLAgentUser$ComputerName$InstanceName
For SQL Server 2008, the following user groups are created by the SQL Server Setup program:
  • Default instance: SQLServerSQLAgentUser$ComputerName$MSSQLSERVER
  • Named instance: SQLServerSQLAgentUser$ComputerName$InstanceName
Those groups have the appropriate permissions to allow proxy accounts to be impersonated.

For more information about the required permissions for a SQL Server Agent service account, visit the following Microsoft Web sites:

↑ Back to the top

Keywords: kb, kbbug, kbexpertiseadvanced, kbsql2005repl

↑ Back to the top

Article Info
Article ID : 911305
Revision : 7
Created on : 8/19/2020
Published on : 8/20/2020
Exists online : False
Views : 84